Firefox, Chrome users more up to date than Safari and Opera

People who use Firefox or Chrome are more likely to be running the latest …

Those who use Firefox and Chrome are inherently more up-to-date—and therefore more secure—than those who run Safari and Opera, according to researchers from the Swiss Federal Institute of Technology (ETH Zurich) and Google Switzerland. But it's not the browsers themselves that magically make people stay updated—it's their built-in mechanisms that automatically update when new versions are available. These mechanisms are keeping a large majority of their users secure, even if power users and admins might get antsy over their loss of update control.

Swiss Federal Institute of Technology researcher Stefan Frei and Thomas Duebendorfer of Google released a paper with their findings this week called "Why Silent Updates Boost Security" (PDF). In it, they note that only about 45 percent of Internet users were using the most secure browser version when visiting Google's Web servers. This, of course, is bad news—as many Ars readers know, Web browsers are increasingly used to target vulnerable users with viruses, malware, adware, and more.

This discovery prompted the researchers to further examine what kinds of users are the most secure, and they found that 83 percent of all active Firefox users were using the latest version. However, Chrome's "silent-update" mechanism made it the most effective of all—the researchers found that 21 days after releasing Chrome version 1.0.154.48 (a version number that would surely not send most of us rushing to download), 97 percent of active Chrome 1.x users were using it. "This is by far the best update effectiveness measured for any of the four investigated Web browsers," reads the report.

Comparatively, browsers that don't stay on top of updates themselves performed poorly in Frei and Duebendorfer's analysis. Only 53 percent of Safari 3.x users had performed an update within three weeks of the update's release, and with newer releases of Safari 3.2.x, the update effectiveness was even lower. And Opera didn't fare any better. After three weeks of a new release, a maximum of 24 percent of active Opera 9.x users had the newest version installed. "It's a pity that 76 percent of Opera 9.x users currently don't benefit from the security improvements and new features of Opera versions within three weeks of its release," the researchers wrote.

Frei acknowledged in a post on his website, however, that while the silent update method may be the best for browser security, not all users are happy with the loss of control. Those who identify themselves as "expert users" are particularly sensitive to the loss of full control over what is installed on their machines, but it might be OK to let them deal with updates on their own. "Expert users don’t need to be excessively taken care by taking control over updates out of their hands. They supposedly know what they do and have the expertise to assess their risks in doing so," wrote Frei.

It's the regular old "ordinary" users who need the most help, he says, as there are more than a billion technically unsavvy people on the Internet with little-to-no protection other than the browser. "There is absolutely no need to confuse this class of users with unnecessary security decisions—which they anyway don’t understand," Frei notes. "I consider 'silent updates' the best solution for this group of users."

He concludes that the best option is for all browsers to include silent update options that are enabled by default, with the option for power users to turn it off. The large majority of users won't change the settings, while the remainder can customize their update preferences however they like. In the meantime, if you're a Safari or Opera user, what are you waiting for? Better go check to make sure you're up to date.

Far more damning is how annoying firefox's update mechanism is. It waits until you actually want to do something, interrupts you, and then relaunches the browser. Chrome's silent update is seamless and a much better experience.

Opera currently has a very lame version check that only runs when you start the browser. Since I leave it running and just put my machine to sleep I almost never see it; instead I mainly find out about new versions from stumbling across a news report on websites. The update notification only includes a link to the website - you still have to download and install it yourself.

Fortunately they have added an auto-update feature to Opera 10 (currently in Alpha) that will hopefully fix this.

I have my computer automatically check for updates once a day for all Apple software. Once it hits at most I will wait one day to see how the early updaters are doing most of the time only a few hours. SW update for the win.

I don't think that the "non-silent" FF update is the 'cause of 17% of users not using the latest version. After all, it is automatic and on by default, if it's disabled it more than likely means that the user is a power user/developer that needs to maintain an older version of firefox.

Originally posted by 2late2die:I don't think that the "non-silent" FF update is the 'cause of 17% of users not using the latest version. After all, it is automatic and on by default, if it's disabled it more than likely means that the user is a power user/developer that needs to maintain an older version of firefox.

Or is simply using an add-on/extension that is not yet available for or compatible with, the latest version. Same effect. I happen to be stuck in that ugly little boat myself at the moment. I'd like to install 3.x, but don't want to give up some functionality for it just yet.

Originally posted by JournalBot:People who use Firefox or Chrome are more likely to be running the latest version of the software when compared against Safari and Opera users, according to Swiss security researchers. This is thanks to the browsers' auto-update mechanisms that are keeping the users of Firefox and Chrome as secure as possible with minimal user interaction.

A case in point: I once had the opportunity to talk to a Pidgin developer shortly after the public announcement of the gaim-pidgin change. The developer did not like the idea of auto-update in Firefox.

Developers seem to think that more choices are always better. Power to the user, they say. I have no idea how they would react to the idea that Chrome auto updates. As long as you allow me the option to turn it off, I guess they should be ok with that ... []

As long as I have some choice and can trust the company I have no problem with auto updates of security fixes.

If you were in charge of IT for a company and your company had a web application that was critical to its business would you even consider using a browser whose updating you couldn't switch off -- bearing in mind that a browser update could break that application? Wouldn't you want to test updates before rolling them out to your users?

If you were in charge of IT for a company and your company had a web application that was critical to its business would you even consider using a browser whose updating you couldn't switch off

Luckily I am in a company where I can more or less choose freely which browsers I use. We have a "frozen" IE that is used for instances when the other browser not work. So I do not see the problem.

Besides if your "critical" web application is written in a way that it is broken by every second browser security update you have a problem. I know that this is the reality and is often the case. Doesn't make it less idiotic though.

We have a "frozen" IE that is used for instances when the other browser not work. So I do not see the problem.

Presumably, your IT department do even if you don't, if they've made that provision. Lucky they can freeze it.

You'd find large companies have company-wide browser policies and frequently do have in-house web applications that, unfortunately, might well be specific to a browser. I know of one I shan't name that uses an application (from Siemens, I think) that hooks into the browser and runs an XML/XSLT order gateway in it.

Would you like to responsible for breaking the order gateway, because you didn't do your job and didn't test?

quote:

Besides if your "critical" web application is written in a way that it is broken by every second browser security update you have a problem

That's just being argumentative and giving rhetorical flourishes for the sake of it. "Every second" and "security" are nothing to do with it. In properly-run business they don't apply patches of any sort willy-nilly. They test first. And they certainly don't allow vendors to by-pass them and push updates on users as and when it suits the vendor. They wouldn't install products from vendors who do that.

Now there probably is an argument for pushing updates -- or, at any rate, security updates -- down home users throats. In business it won't fly.

But this whole story has a smell of dead fish about it, anyway. Google's been criticized for its supposedly over-aggressive and certainly "silent", and unmodifiable update policy so -- guess what -- Thomas Duebendorfer of Google (see above) comes out with a study that just happens to say that Google's way is best. This "study" seems as much a media event arranged in Google's interest as a study.

Originally posted by JPan:Besides if your "critical" web application is written in a way that it is broken by every second browser security update you have a problem.

Sometimes apps are poorly written, yes. But just as often, if not more often, I have seen feature changes that are rolled out with security updates in an updated version that have broken apps.

A great example of this is WoW (Disclaimer: I have been WoW free for 6 months and counting). Forced updates are the M.O. of this game. However, almost every patch manages to break addons in some way, if not completely. They have changed the LUA interface more times than I have fingers and toes to count, including one complete overhaul. Every time this happens, Addons that some people consider crucial to their gaming experience (raid addons in particular) have been broken and left by the wayside even if they worked perfectly fine before. This has forced an undue burden on 3rd party developers to keep their stuff working.

Now, imagine that scenario in a corporate environment, only it's the browser or OS that changes constantly in the background with no testing, no regard for the other 3rd party apps you may be running on your backend. No, mandatory updates are NOT always a good thing. Home users have a bit more leeway, but updates are not always good. If you're going to have auto-updating it shouldn't include feature changes, only security updates. Even then, it's still questionable to me.

Sure so what's your point? On the other hand its completely sufficient to have ONE browser as backup on a machine. A Firefox 2.0 with disabled update functionality would work just as well for example besides the shiny new updatet FF 3.1 employees could use normally.

quote:

Would you like to responsible for breaking the order gateway, because you didn't do your job and didn't test?

I still do not get your point. Nobody ever said that it should be impossible out of some religious reason to disable all updates for all browsers on a company machine. On the other hand its equally senseless to make a "browsers shouldn't update automatically" argument out of this.

quote:

Would you like to responsible for breaking the order gateway, because you didn't do your job and didn't test? ... that's just being argumentative

I put those sentences together because they fit nicely. On the one hand it is true that companies use stupid software (an XML order gateway in the browser shudder), that only works with specific software for example outdatet browsers. This is the reality. I mean companies also use Excel to store huge amounts of operative data. Both approaches are equally idiotic but they are currently simply reality. I give you that. If companies are forced by employees to use software that is actually intended for this like a proper database to store data or an ERP system or process server to work with orders, companies would not be hurt hugely. ;-) These products normally support different browsers and are based on a decent architecture. Companies that rely on a product that some services guy put together with a hot needle on the other hand can need some encouragement to change.

Sometimes the user is a flaming moron who shouldn't get any more say in the updating of his browser/OS than he gets in the engine mappings of his car. There are some things that the vast majority of people just shouldn't dick with. Those are two.

Originally posted by Black_Obsidian:Sometimes the user is a flaming moron who shouldn't get any more say in the updating of his browser/OS than he gets in the engine mappings of his car. There are some things that the vast majority of people just shouldn't dick with. Those are two.

How would the "flaming moron" know to allow his browser and OS to auto-update while not allow anything else to auto-update? What makes them a flaming moron, essentially by definition, is they wouldn't know the difference.

How would the "flaming moron" know to allow his browser and OS to auto-update while not allow anything else to auto-update? What makes them a flaming moron, essentially by definition, is they wouldn't know the difference.

They should allow everything to auto-update. I repair PCs for a living, and I run into malware-infested PCs all of the time. Thanks to Automatic Updates, most of these PCs have the latest security updates for Windows, and many have Microsoft Update turned on and therefore have the latest updates for other MS software as well.

What the PCs do not have, and what I suspect is the reason for a lot of the malware (especially when they have current antimalware software installed) are security updates for everything else. Flash. Java. Adobe Reader. QuickTime. None of these programs update silently (even update notifications for them are hit-or-miss), and as a result they are often terribly out of date. They all have major security flaws that have been patched in the latest versions, and since they are all web browser plugins, any content requiring them gets run automatically.

Ideally, Microsoft would release an update framework that apps could plug into for automatic updates (that way I don't need to have a separate software updater running in the background for each program installed on my PC), but at the very least every application should silently update itself by default. I have no problem with a setting to disable this for power users or people who specifically need an older version. But the setting should only be accessible via a registry edit or similarly complicated method, to discourage average users from turning it off.

I'll never use a browser (or for that matter software/OS) where i can't turn auto-updates off. Like others pointed out before too many times fixes and updates mess things you don't want to up. From crashes to totally breaking web applications you use daily. Especially important for companys using custom web applications for internal use.

Or for example you're are a web developer testing your web application on multiple versions of browsers you have installed in separate folders. Would suck if all those browsers auto updated themselves.

"Those who use Firefox and Chrome are inherently more up-to-date—and therefore more secure"

Hm? More up-to-date doesn't necessarily mean more secure. The latest version of Firefox could have more security vulnerabilities than an older version of Safari, for example (no idea if that's the case - just making an example).

Built-in auto-update means security fixes can be pushed out *faster*, but it doesn't mean that the browser is inherently more secure than others.

Originally posted by Bernd:I have my computer automatically check for updates once a day for all Apple software. Once it hits at most I will wait one day to see how the early updaters are doing most of the time only a few hours. SW update for the win.

I agree that Software Update is great, but it could stand to use some improvements. I often avoid applying some updates that require a restart. I think Apple should move to minimize or eliminate updates that require a restart whenever possible.

Further, I find that even though Software Update can run everyday and check for updates, many users—often the ones that would most benefit from the updates—ignore or dismiss Software Update when there is something to install. This essentially renders is useless for a large swath of users.

"even if power users and admins might get antsy over their loss of update control."

Hum, in Firefox 3 (and in Opera 10, hopefully), auto-update can be turned off with a single click... Even if it's on by default (and this is better for the vast majority of home users, since they just don't watch it, IMO), it's easilly deactivable... So where's the point?

Auto-update is good for home users (for security and performance), but can be tricky for business, so turn it off there. It's not like it's hard (ok, maybe with a thousand computers it is ). But hey, IT departments are here for that (I know I'm gonna get flame for this).

Power users now... Well, a power user that doesn't know how to change that option is NOT a power user, so there is no problem here.

What matters is the size and convenience of updates. Firefox's and IE's updates are usually small (Microsoft uses delta compression and Firefox I believe uses a similar technology). IE's updates are on a fixed schedule monthly, Firefox's updates only require a quick restart and check for plugin compatibility. Apple doesn't get the meaning of "update". Updating Safari 3.0.1 to 3.0.2 requires downloading the entire huge setup file (20+ MB), and uninstalling the whole thing, + uninstalling other unwanted stuff like Bonjour and reinstalling. And at least on Windows, Apple software update sucks. Google's method of not respecting user choice and not even allowing cancelling updates and constantly running GoogleUpdater.exe process and services is almost malware-like.

Interesting how this seems to be a positive story about using auto update. Considering how many dislike Microsofts updates being done automatically I am surprised. I for one have used auto update on everything from Java to Windows and any other software with that feature. I consider it a big help in preventing problems and fixing the potential ones. It does not create all the problems people think. Sure their are those with conflict software that poses problems. But I do not see it that often myself.

Originally posted by Black_Obsidian:Sometimes the user is a flaming moron who shouldn't get any more say in the updating of his browser/OS than he gets in the engine mappings of his car. There are some things that the vast majority of people just shouldn't dick with. Those are two.

Problem is browsers are shite (Firefox, IE 6, IE 7 at least). You're not dumb enough to buy a car that needs servicing every two months, are you? Where would you think those clever programmers would put the engine?

Originally posted by barich:I have no problem with a setting to disable this for power users or people who specifically need an older version. But the setting should only be accessible via a registry edit or similarly complicated method, to discourage average users from turning it off.

Ok, you had me until there. The average user that turns it off (when they really should be leaving it on) obviously thinks they know more than they actually do. They're going to munt their registry if you enforce that. And power users (like myself) are going to get the shits with such an awkward way of ensuring we can monitoring our own software. I'm happy with an obscure option, buried deep in the options screen somewhere.

I've got both Windows and Firefox (and everything else I can) set to notify me, and that's all. I tend to update when I can, but I like being able to avoid WGA, and other nonsense updates (like a 62MB font change to remove a swastikka - we have very limited download caps here in Australia!)

I agree with you about everything else, especially that Spawn of Satan, Adobe.

Originally posted by tuxplorer:What matters is the size and convenience of updates. Firefox's and IE's updates are usually small (Microsoft uses delta compression and Firefox I believe uses a similar technology).

I wish that were true.

Firefox gives me the shits. If I download the entire browser, ready for a clean install, it's a bout 7MB, yet an "update" will be 9MB. How the fuck does that work?

quote:

Firefox's updates only require a quick restart and check for plugin compatibility.

And that's why I forgive them. IE requires a reboot, Apple requires your first born and right leg, and Chrome... makes me squirm.

quote:

Google's method of not respecting user choice and not even allowing cancelling updates and constantly running GoogleUpdater.exe process and services is almost malware-like.

Originally posted by jaem:Problem is browsers are shite (Firefox, IE 6, IE 7 at least). You're not dumb enough to buy a car that needs servicing every two months, are you? Where would you think those clever programmers would put the engine?